This diagram shows the six-step encryption process when using CSE-KMS:
Let's understand the process:
- The client will use an AWS SDK and, in this example, the Java client, to request data keys from KMS using a specified CMK.
- Using the CMK selected in step 1, KMS will then generate two data keys: a plaintext data key and a cipher blob of the first key.
- KMS will then send these keys back to the requesting client.
- The client will perform the encryption against the object data with the plaintext version of the data key and then store the resulting encrypted object.
- The client then uploads the encrypted object data and the cipher blob version of the key created by KMS to S3.
- The final stage involves the cipher blob key being stored as metadata against the encrypted object, maintaining a linked association.
This diagram shows the six-step decryption process when using CSE-KMS:
Let's understand the process:
- A user...